TrueCrypt Encryption Software Shut Down, May Be Compromised

Status
Not open for further replies.

house70

Distinguished
Apr 21, 2010
1,465
0
19,310
1. A perfect tarnishing campaign by NSA to get rid of the only serious roadblock,
or
2. A last attempt to conceal the real creators behind it (NSA), after convincingly posing as the one independent encryption solution; now that the audit is getting uncomfortably close to the people behind it the last resort is to abruptly shut it down.

 

LordConrad

Distinguished
Jun 15, 2007
116
0
18,640
I will keep using Truecrypt until it's proven insecure or until something better comes along. Whoever recommended Bitlocker is a fool, Microsoft is known for their snooping (Skype, Windows NSA decryption key).
 

bison88

Distinguished
May 24, 2009
249
0
18,830
I wouldn't go as far as recommending people stop using TrueCrypt. If you've been using a version prior to this 7.2 release then you should be good. Given 7.1a is already two years old and being looked into by researchers, any nefarious things that old will be discovered.

However, going forward I wouldn't trust TrueCrypt. Even if this was a joke, internal bickering, or a malicious hacker, the trust has already been ruined. These guys are anonymous developers for a reason, the bad part is that anonymity can kill you if something like this happens. Nobody knows who these guys are so any information coming out could be easily proclaimed as being fake from this point on.

Huge hit to the future of Volume based encryption. There aren't a lot out there, let alone ones that are completely free.
 

Vorador2

Distinguished
Jun 26, 2007
108
0
18,630
One of the weirdest things i've ever seen. Not only they're dropping the software entirely based on a completely unrelated reason (XP support dropping out), but also recommend a less secure proprietary alternative like Bitlocker, which it isn't even available on Home versions of Windows.

My personal take on the matter is that the Truecrypt team has been slowly dissolving since the last version was released two years ago, and the last people maintaining the project has given up on it on a "f*ck it all" way.

In any case, since it's open source it's likely another team will take the baton. Truecrypt is too useful to pass it up, and the initial audit of the software was passed without problems.
 

LORD_ORION

Distinguished
Sep 12, 2007
330
1
18,930
I would think this is more of a "Look NSA, we shut down development and discouraged people from using the software" after the developers were ordered to provide source to the NSA and refused.

Regardless, unless you build it yourself, looks like you can trust nobody.
 

beayn

Distinguished
Sep 17, 2009
429
0
18,930
If TrueCrypt was connecting to unknown internet addresses and sending data, it would have been discovered. That would be the only reason to suddenly stop using it. If it contains a backdoor, of course you're gambling with it being exploited, but we gamble with security flaws that can be exploited every day. I don't see a reason to immediately stop using the software without getting the final results of the second audit. Seems odd to recommend it be stopped immediately. I know some organizations that use the software on dozens of laptops, it would be a pretty big undertaking to stop using it.
 

digimatrix

Estimable
May 30, 2014
1
0
4,510
@Christopher1
@LordConrad

And yet both of you don't have proof to back up your baseless claims. I work for Fortune 500 company that use Bitlocker and contrary to what you believe, Bitlocker does not have any backdoors. This is because we hire independent security auditor to scrutinize Bitlocker's source code (from time to time), subject to non-disclosure agreement with Microsoft.
 

dro2

Estimable
May 1, 2014
9
0
4,510
@Christopher1
@LordConrad

And yet both of you don't have proof to back up your baseless claims. I work for Fortune 500 company that use Bitlocker and contrary to what you believe, Bitlocker does not have any backdoors. This is because we hire independent security auditor to scrutinize Bitlocker's source code (from time to time), subject to non-disclosure agreement with Microsoft.

What complete BS...
 

StygianAgenda

Honorable
Jan 21, 2014
3
0
10,510
If TrueCrypt was connecting to unknown internet addresses and sending data, it would have been discovered. That would be the only reason to suddenly stop using it. If it contains a backdoor, of course you're gambling with it being exploited, but we gamble with security flaws that can be exploited every day. I don't see a reason to immediately stop using the software without getting the final results of the second audit. Seems odd to recommend it be stopped immediately. I know some organizations that use the software on dozens of laptops, it would be a pretty big undertaking to stop using it.
If TrueCrypt was connecting to unknown internet addresses and sending data, it would have been discovered. That would be the only reason to suddenly stop using it. If it contains a backdoor, of course you're gambling with it being exploited, but we gamble with security flaws that can be exploited every day. I don't see a reason to immediately stop using the software without getting the final results of the second audit. Seems odd to recommend it be stopped immediately. I know some organizations that use the software on dozens of laptops, it would be a pretty big undertaking to stop using it.
 

StygianAgenda

Honorable
Jan 21, 2014
3
0
10,510
grr..
Anyways, I agree.
I work in IT, specifically in systems engineering and digital forensics (CPTS) and have a background with countless operating systems over a 30 year history of systems use. I've used and trusted TrueCrypt for quite a long time due to my own research into the components that make up it's most intense cryptographic solution (AES+Serpent+twofish with Whirlpool-hashing). I've long believed that a single block-cipher implementation is 'putting all of your eggs in one basket', so to speak.
Bitlocker, while I have no proof of specific backdoors... I'll just say that the allegations in and of themselves are enough to lead me to question the wisdom of implementing it in any situation where *complete and total* cryptographic coverage is required.

Now, that said: Look back over the past few years of digital crimes news, and you'll find a case that occurred in England, where the courts essentially jailed a man as a means to compel him to release his TrueCrypt credentials because GBHQ (England's own equivalent to our NSA) could not crack his USB drives.

If memory serves, the defendant in that case was using a version prior to v7.2. I can't say for sure it was v7.1a, but as others here have observed, that particular build has been considered stable and secure by its users for 2 years +. So, until something truly superior comes along, I think I'll still keep some trust in the build of TrueCrypt that I've been using and of which I keep backups of the installation binaries for multiple platforms. I've always tended to use it in my own way, opting for a large file-type-vault on USB drives along with the TrueCrypt Traveler Disk files to make it portable, along with a few totally non-sensitive tools for quick access to things (ex: Putty portable; UltraVNC Viewer, etc). I still believe it to be a good solution because we really have no reason to trust or distrust the credibility of the published shutdown statement. The reasons given for the shutdown are dubious due to the lack of any substantiating information to back up the claims of unfixed security flaws. And like some here, a stable build like v7.1a isn't something I'm just going to throw out because of an unsubstantiated claim of a flaw. I'll await the results of the continuing audit and then base my decision on my own knowledge of the feasibility of exploit. There are many flaws in security systems that are just simply too unfeasible to attack using theorized methodology, and tend to have requirements that even the best organized technical operative would be hard pressed to achieve under the most perfect of conditions.
 
Status
Not open for further replies.